Applicant : Robert Bruce Hirsh Attorney's Docket No.: 06975-200001 / Security 13 

Serial No. : 09/894,919 

Filed : June 29, 2001 

Page : 14 of 21 



REMARKS 

Claims 20, 21 , 24-28, 30-39, and 55-95 are pending, with claims 20, 67, and 81 being 
independent. No claims have been amended. 

35 U.S.C. 8 102(eV§ 103(a) Cohen Rejections 

Claims 20-21, 24-28, 30-39, and 55-95 have been rejected under 35 U.S.C. § 102(e) as 
being anticipated by or under 35 U.S.C. § 103(a) as being obvious over Cohen (U.S. Patent No. 
6,178,51 1), For at least the following reasons, Applicant respectfully requests withdrawal of 
these rejections. 

Independent Claim 20 And Its Dependent Claims 

Independent claim 20 relates to a "method, performed by an intermediary, of leveraging a 
persistent connection with a client to provide the client with access to a secured service," and 
recites, among other things, "authenticating the intermediary to the secured service, responsive to 
[a] request" by a client for access to the secured service and "enabling access by the client to the 
secured service conditioned on whether the intermediary is successfully authenticated to the 
secured service." Cohen fails to describe or suggest at least these features of claim 20. 

Cohen describes a single sign-on (SSO) system in which a user signs on to the SSO 
system one time and the SSO system signs the user on to other applications. (Cohen at col. 2, 
lines 29-32). For each user, the SSO system securely stores that user's username, password, and 
other pertinent login information for each other application that the user may wish to access. (Id. 
at col. 4, line 61 to col. 5, line 6). This information has been previously entered into the SSO 
system by the user. (Id. at col. 5, lines 45-57). Once the user has logged in to the SSO system, 
the SSO system retrieves that user's usernames, passwords, and other login information for the 
other applications, and automatically logs the user in to the other applications without further 
user intervention. (Id, at col. 6, lines 8-45). The SSO system of Cohen thus provides a method 
of leveraging stored user information to enable user login to multiple applications. (Id at col. 6, 
lines 46-48). Notably, in Cohen, the user login information is used to log the user into each 
application directly. 
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Thus, Cohen fails to describe or suggest "authenticating the intermediary to the secured 
service," as claimed. That is, the intermediary of Cohen is never itself authenticated to the 
secured service. Rather, in Cohen, as indicated above, the user's credentials are always 
submitted to the secured service for authentication of the user, without regard for authentication 
of the intermediary SSO. 

Moreover, Cohen fails to describe or suggest at least "authenticating the intermediary to 
the secured service, responsive to [a] request" by a client for access to the secured service, and 
"enabling access by the client to the secured service conditioned on whether the intermediary is 
successfully authenticated to the secured service." Rather, in Cohen, the SSO system (which the 
Office Action equates to the claimed intermediary) logs the user in to another application (which 
the Office Action equates to the claimed secured service) by using the user's username and 
password that has been previously entered and stored on the SSO system. The SSO system does 
not authenticate itself to the other application and enable access by the user to the other 
application conditioned on whether the SSO system is authenticated to the other application, as 
required by claim 20. Indeed, the SSO system of Cohen simply facilitates use of passwords 
previously stored by the user to automatically log a user in to another application. 

For at least the foregoing reasons, claim 20, and its dependent claims 21, 24-28, 30-39, 
and 55-66 are patentable over Cohen. 

Furthermore, and independently of the reasons articulated above with respect to claim 20, 
Applicant traverses the rejections of dependent claims 35, 36, 37, 55, 56, and 66 because the 
Examiner has improperly taken Official Notice that the following features are conventional and 
well known: "the use of a threshold number to limit use of authorization information" (claims 36 
and 37); "the use of one-time passwords" (claim 37); "the use of client-server communications 
independent of an intermediary" (claims 55 and 56); and "the use of direct authentication by a 
user" (claim 66). Applicant respectfully submits that these features were not conventional and 
well known at the time of the invention, at least in the context of the claimed invention, and 
therefore respectfully requests a showing of documentary evidence of these features to the extent 
that a rejection of claims 35, 36, 37, 55, 56, and 66 is maintained. Applicant also respectfully 
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submits that, to the extent these features were conventional and well known, the Office Action 
has provided no motivation or suggestion for making the proposed modifications to Cohen based 
on these features. For at least these additional reasons, Applicant respectfully requests the 
withdrawal of the rejections of claims 35, 36, 37, 55, 56, and 66. 

Independent Claim 67 And Its Dependent Claims 

Independent claim 67 relates to a "method, performed by a client, of leveraging a 
connection with an intermediary to access a secured service" and recites, among other things, 
"receiving, from the intermediary, constrained authorization information that has been 
authenticated by the secured service, responsive to the client request" and "submitting, by the 
client, the constrained authorization information to the secured service to establish a direct 
authenticated connection between the client and the secured service independent of the 
authenticated connection between the client and the intermediary." 

Cohen fails to describe or suggest at least these features of claim 67. As discussed in 
more detail above, Cohen describes a single sign-on (SSO) system in which a user signs on to the 
SSO system and the SSO system signs on to other applications on the user's behalf using the 
user's usernames and passwords that have been stored on the SSO system. In Cohen, the user 
does not receive constrained authorization information from the SSO system (which the Office 
Action equates to the claimed intermediary) that has been authenticated by the application 
(which the Office Action equates to the claimed secured service). The user also does not submit 
the constrained authorization information to the application to establish a direct connection with 
the application independent of the connection between the user and the SSO service. Rather, in 
Cohen the SSO system directly authenticates the user to the application by using the user's own 
stored username and password, and the user accesses the application through the connection that 
the user has established with the SSO service. 

The Office Action acknowledges that Cohen fails to describe or suggest "submitting, by 
the client, the constrained authorization information to the secured service to establish a direct 
authenticated connection between the client and the secured service independent of the 
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authenticated connection between the client and the intermediary." To show these features, the 
Office Action relies on its Official Notice "that the use of client-server communications 
independent of an intermediary was conventional and well known." Applicant submits that this 
use of Official Notice has two problems: (1) the Official Notice fails to meet the recited 
limitations for which Cohen is deficient and for which the Official Notice is relied upon; and (2) 
the features that were noticed are not believed to have been conventional and well known at the 
time of the invention, at least in the context of claim 67. 

With respect to item (1), even accepting for the sake of argument that the Examiner's use 
of Official Notice is proper, the rejection of claim 67 is improper because the facts for which 
Official Notice is taken do not remedy the deficiencies of Cohen. The "use of client-server 
communications independent of an intermediary" does not meet the claim feature of "submitting, 
by the client, the constrained authorization information to the secured service to establish a direct 
authenticated connection between the client and the secured service independent of the 
authenticated connection between the client and the intermediary." That is, even if clients and 
servers were known to communicate without an intermediary, this does not mean that it would 
have been obvious to modify Cohen so that the user receives constrained authorization 
information from the SSO system and submits that information to the other application to enable 
communications between the client and the other application independent of the SSO system. 

Indeed, Cohen teaches away from the proposed modification. Cohen teaches that the 
user accesses the application transparently through the SSO service by allowing the SSO service 
to automatically log the user into the application using the user's own username and password. 
In contrast, claim 67 recites that the client receives constrained authentication information from 
the intermediary and submits that information to establish a connection with the secured service 
independent of the intermediary. Only through the impermissible use of hindsight would it have 
been obvious to modify Cohen in the way proposed in the Office Action. 

With respect to item (2), if Official Notice is to be relied upon for the proposition "that 
the use of client-server communications independent of an intermediary was conventional and 
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well known/' Applicant requests that the Examiner produce documentary evidence of these 
features. 

For at least the foregoing reasons, claim 67, and its dependent claims 68-80, are 
patentable over Cohen. 

Furthermore, Applicant traverses the rejection of dependent claims 73, 79, and 80 
because the Examiner has improperly taken Official Notice that the following features are 
conventional and well known: "the use of a threshold number, a time window, and to received 
the information from the client attempting access to information, to limit use of authorization 
information" (claims 73); and "the use of direct authentication by a user" (claims 79 and 80). 
Applicant respectfully submits that these features were not necessarily conventional and well 
known at the time of the invention, at least in the context of the claimed invention. Absent 
documentary evidence of these features, the rejections of claims 73, 79, and 80 are improper. 
Moreover, Applicant respectfully submits that to the extent these features were conventional and 
well known, the Office Action has provided no motivation or suggestion for making the 
proposed modifications to Cohen based on these features. For at least these additional reasons, 
Applicant respectfully requests the withdrawal of the rejections of claims 73, 79, and 80. 

Independent Claim 81 And Its Dependent Claims 

Independent claim 81 relates to a "method, performed by a secured service, of allowing a 
client access based on an authenticated connection between the client and an intermediary" and 
recites, among other things, "determining whether a trusted relationship exists between the 
secured service and the intermediary, responsive to the client request," and "conditioned on the 
existence of a trusted relationship between the secured service and the intermediary, enabling 
access by the client to the secured service." 

Cohen fails to describe or suggest at least these features of claim 81. As discussed in 
more detail above, Cohen describes a single sign-on (SSO) system in which a user signs on to the 
SSO system one time and the SSO system signs on to other applications on the user's behalf 
using the user's usernames and passwords that have been stored on the SSO system. In Cohen, 



Applicant 
Serial No. 
Filed 
Page 



Robert Bruce Hirsh 
09/894,919 
June 29, 2001 
19 of 21 



Attorney's Docket No.: 06975-200001 / Security 13 



the application (which the Office Action equates to the claimed secured service) does not 
determine whether a trusted relationship exists between the application and the SSO system 
(which the Office Action equates to the claimed intermediary), and does not enable access by the 
user to the application conditioned on the existence of that trusted relationship. Rather, in 
Cohen, the application authenticates the user's username and password, which are provided by 
the SSO service and, conditioned on the acceptance of the user's username and password, allows 
the user to access the application through the SSO service. 

The Office Action acknowledges that Cohen fails to describe or suggest these features of 
claim 81. To show these features, the Examiner takes Official Notice "that the use of 'trusted 
connections' was conventional and well known." Applicant submits that the taking of Official 
Notice is improper because: (1) the Official Notice fails to meet the recited limitations, for which 
Cohen is deficient and for which the Official Notice is relied upon; and (2) the features that were 
noticed are not believed to have been well known at the time of the invention, at least in the 
context of claim 81. 

With respect to item (1), even accepting for the sake of argument that the Examiner's use 
of Official Notice is proper, the rejection of claim 81 is improper because the facts for which 
Official Notice is taken do not remedy the deficiencies of Cohen. The "use of 'trusted 
connections'" does not meet the claim features of "determining whether a trusted relationship 
exists between the secured service and the intermediary, responsive to the client request," and 
"conditioned on the existence of a trusted relationship between the secured service and the 
intermediary, enabling access by the client to the secured service." That is, even if it may have 
been known to use trusted connections, this does not mean that it would have been obvious to 
modify Cohen so that the application authenticates the SSO system and enables the user to 
access to the application based upon authentication of the SSO system. 

Indeed, Cohen teaches away from the proposed modification. Cohen teaches that the 
other application receives the username and password for the user such that the application 
authenticates the user. The application of Cohen does not authenticate the SSO system itself, as 
required by claim 8 1 . Only through the impermissible use of hindsight would it have been 
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obvious to modify Cohen to authenticate the SSO system instead of the user, as proposed in the 
Office Action. 

With respect to item (2), if Official Notice is to be relied upon for the proposition "that 
the use of 'trusted connections' was conventional and well known," Applicant requests that the 
Examiner produce documentary evidence of these features. 

For at least the foregoing reasons, claim 81, and its dependent claims 82-95, are 
patentable over Cohen. 

Furthermore, Applicant traverses the rejection of dependent claims 84, 87, 88, 89, 90, and 
95 because the Examiner has improperly taken Official Notice that the following features are 
conventional and well known: "the use of a threshold number, a time window, and to received 
the information from the client attempting access to information, to limit use of authorization 
information" (claims 84 and 87); "the use of client-server communications independent of an 
intermediary" (claims 88 and 89); "the use of 'trusted connections'" (claim 90); and "the use of 
direct authentication by a user" (claim 95). Applicant respectfully submits that these features 
were not necessarily conventional and well known at the time of the invention, at least in the 
context of the claimed invention. Absent documentary evidence of these features, the rejections 
of claims 84, 87, 88, 89, 90, and 95 are improper. Moreover, Applicant respectfully submits that 
to the extent these features were conventional and well known, the Office Action has provided 
no motivation or suggestion for making the proposed modifications to Cohen based on these 
features. For at least these additional reasons, Applicant respectfully requests the withdrawal of 
the rejections of claims 84, 87, 88, 89, 90, and 95. 



Applicant does not acquiesce to the characterizations of the art. For brevity and to 
advance prosecution, however, Applicant has not addressed all characterizations of the art, but 
reserves the right to do so in further prosecution of this or a subsequent application. 



Conclusion 
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No fee is believed to be due at this time. Please apply any other charges or credits to 
deposit account 06-1050. 
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Telephone: (202) 783-5070 
Facsimile: (202)783-2331 



Respectfully submitted, 




Reg. No. 46,899 



40290215-2.doc 



